Penetration Testing mailing list archives

Re: (preparing for)Pentesting firewall /Checkpoint box

From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Wed, 19 Aug 2009 15:37:06 +0100

Todd Haverkos wrote:

I'd advise against fearing the paid pentest, or contribute to a "rubber
stamp" mentality in the company that'll undermine the value you can
get from a penetration test.  I can't recall who said it at which
defcon, but the quote was "People don't want to be secure.  They want
to have a rubber stamp that says they're secure."  Such a thought
really impairs improving things, so it's definitely a mindset to
avoid.


I disagree.

While it is good that vulnerabilities are found, having your
shortcomings listed in a formal report to your boss and his boss is
often a significant career- and wage- limiting move.

It would be better if, on a weekly or monthly basis, you knew how to
check your own boxes, and fixed (on a weekly or monthly basis) anything
you found, rather than relying on a once-per-year-at-most external
pentest that might miss an item anyhow.

if the external test finds nothing *because you already found and
patched two months prior* then you not only get to give a sigh of
relief, but you will never know if your company would have lost a
million dollars due to a hacker attack *that never happened because you
found and patched the vulnerability months ago* that would have happened
anyhow because by the time your external pentest company did their test,
wrote up a formal report, gave it to your manager, who then spent his
time looking to deflect blame from himself and then acquired budget to
get a consultant in to fix the issue, they would have been in and gone.

that is why I am here - I am not a pentester, I am a network admin who
wants to protect his own systems the best that he can, rather than rely
on an external test once per year to present the output of nessus and
recommend we update the dlls on a netware server....

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

(preparing for)Pentesting firewall /Checkpoint box pent 5971 (Aug 18)
- Re: (preparing for)Pentesting firewall /Checkpoint box Francois Yang (Aug 18)
- Re: (preparing for)Pentesting firewall /Checkpoint box ml10024 (Aug 18)
  - Re: (preparing for)Pentesting firewall /Checkpoint box Wim Remes (Aug 19)
- Re: (preparing for)Pentesting firewall /Checkpoint box Todd Haverkos (Aug 18)
  - Re: (preparing for)Pentesting firewall /Checkpoint box David Howe (Aug 19)
- RE: (preparing for)Pentesting firewall /Checkpoint box Gorgon Beast (Aug 19)
- Re: (preparing for)Pentesting firewall /Checkpoint box JiPi DiNi (Aug 19)
- Re: (preparing for)Pentesting firewall /Checkpoint box Matt Gardenghi (Aug 19)